Description

Various actions do not escape markup in the page name. This let an attacker to run scripts on the user browsers by clicking on a link to the page with certain actions.

Steps to reproduce

Try:

http://moinmoin.wikiwikiweb.de/WikiSandBox/%3Cscript%3Ealert%28%27Ouch%21%27%29%3C/script%3E?action=LocalSiteMap
http://moinmoin.wikiwikiweb.de/WikiSandBox/%3Cscript%3Ealert%28%27Ouch%21%27%29%3C/script%3E?action=AttachFile
http://wiki.apache.org/general/%3cscript%3ealert%28'%21'%29%3c/script%3e?action=LikePages (1.3)

Component selection

Various actions

Details

1.3 and later.

LikePages is fixed in this wiki.

Workaround

Discussion

Use proper escaping of page name.

Plan

Priority:
Assigned to: ThomasWaldmann
Status: fixed in 1.5 branch

CategoryMoinMoinBugFixed

MoinMoin: MoinMoinBugs/PageNameQuoting (last edited 2007-10-29 19:16:13 by localhost)